topic Re: Not able to find users from Splunk UI ???? in Security

Not able to find users from Splunk UI ????

harishalipaka — Tue, 29 Sep 2020 22:38:40 GMT

Hi All,

We have Created Role with name "Pulsenewuser" with the capabilities (edit_user,edit_roles,edit_roles_grantable) .
When we are adding "Pulsenewuser" Role to the users ,we are not able find the users from Splunk UI.

please can you help me out from this ,we are using splunk 7.1.4 enterprise edition(same thing working fine in splunk 6.6.2)

Re: Not able to find users from Splunk UI ????

inventsekar — Thu, 03 Jan 2019 12:03:05 GMT

may i know, when you run | rest /services/authorization/roles , do you get the "Pulsenewuser" listed out?

Re: Not able to find users from Splunk UI ????

harishalipaka — Thu, 03 Jan 2019 13:06:06 GMT

@inventsekar

Thanks for your reply..

Yes ,am getting the "Pulsenewuser" list

Re: Not able to find users from Splunk UI ????

harishalipaka — Fri, 04 Jan 2019 07:11:18 GMT

@inventsekar
yes,we did logout and login.

Re: Not able to find users from Splunk UI ????

skalliger — Fri, 04 Jan 2019 09:24:19 GMT

What is your problem exactly? The role is used to create new users but you can not create new users? Are the users found in the following rest call?
| rest /services/authentication/users

Skalli

Re: Not able to find users from Splunk UI ????

inventsekar — Fri, 04 Jan 2019 11:24:52 GMT

when you create Pulsenewuser, did you just create from zero or did you create by cloning an already existing role and edited?
if you created Pulsenewuser from zero, maybe, delete it and clone a very basic role and edit/update the roles.

Re: Not able to find users from Splunk UI ????

tchimento_splun — Tue, 29 Sep 2020 22:40:50 GMT

By including edit_roles_grantable as a capability you have specified that any user assigned to that role will be limited to the capabilities that were included in that role. The result is that all the users who already existed and have been assigned to a role that has MORE capabilities than the role 'Pulsenewuser' will no longer be accessible.

General behavior and configuration guidance for edit_roles_grantable:

In the UI create a role called subadmin [or name of your choice] and make sure the following options are configured:

[role_subadmin]
edit_roles_grantable = enabled
edit_roles = disabled
edit_users = enabled

When the new role is created, the following change will be made in Splunk/etc/system/local/authorize.conf:

grantableRoles = subadmin [you should confirm this - if the entry doesn't match that, make the change. ** After any manual edits of authorize.conf, use Settings > Access control > Authentication method > Reload authentication configuration or changes won’t be applied.]

Configure the subadmin role in the UI to include/exclude the capabilities to meet the specific limitations you want to impose on the subadmin. Create a newadmin user and assign them to the subadmin role. The user newadmin will only be able to see and use the capabilities that are included in the subadmin role.

For example, if you want to remove access to the delete_by_keyword capability, configure the subadmin role as described above but without the delete_by_keyword capability. When the newadmin user logs into Splunk, they will not have that option in their list of capabilities.